T&Cs
- Website Terms of Use
- Mukuru Money Transfer Service
- Mukuru Card Service
- MukuruPay Service
- Mukuru Funeral Cover Service
- Mukuru Airtime Advance
- Mukuru Rewards Program
Privacy
Competitions
Complaints
Last updated on 23 June 2026
At Mukuru, we respect your privacy. We collect and use your personal data to provide our services, meet legal requirements, and keep you safe. We share your data only when necessary and keep it secure. You have rights over your personal data, and we’re here to help if you have questions.
1. Definitions we use in this notice.
- The term “Mukuru” or “us” or “we” or “our” refers to the companies or any one of them that make up the “Mukuru Group”.
- The “Mukuru Group” is made up of companies connected to Mukuru. This connection can be because they are owned by the same company, or because they are part of a group of related companies (also known as affiliates or members). The Mukuru Group operates under the “Mukuru” brand.
- The term “you” or “your” refers to a natural person (an individual), or where applicable, a juristic person (company).
- “Mukuru Services” refers to money transfers and other financial products offered by the Mukuru Group. In South Africa, money transfers are provided by Mukuru Africa (Pty) Ltd, while other financial products come from Mukuru Financial Services (Pty) Ltd. Internationally, Remitix Limited and other Mukuru Group companies provide these services. References to “our services” or “the services” mean any Mukuru Services product or offering.
- The term “personal data” means any information about you that can be used to identify you and includes “personal information” as defined under South Africa’s Protection of Personal Information Act and Zimbabwe’s Cyber and Data Protection Act.
- A “controller” is a company that collects personal data and determines why and how it will be used.
- A “processor” is the company that processes personal data for a controller.
- When we use the phrase “applicable data privacy laws”, we are referring to the laws that apply to us and you when we process personal data. It includes but is not limited to the Protection of Personal Information Act, 2013 (POPIA), the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR (UK GDPR), or the UK Data Protection Act 2018.
2. Who is responsible for looking after your personal data?
Depending on the service you use, Mukuru may function as a controller providing you with the service, or as a processor, if we are processing on behalf of someone else.
Different companies within the Mukuru Group provide various services. Any personal data shared between them is protected by our intra-group company agreement to ensure your information is secure.
If you need more information on a Mukuru Group company, please email [email protected]
3. How do we collect your data, when and why?
Mukuru collects your personal data to provide our services. Below, we outline when, why, and how your personal data may be processed. If we process your personal data for reasons not listed here, it will still comply with applicable data protection laws. For questions about your data, email [email protected].
We collect most of your personal data from you. For example:
- When: You enter into an agreement with us, create an account or profile or ask for help.
Why: So that we can provide you with the services you want, help you before you enter into an agreement and to meet our obligations to you and the law applicable to us and our services. - When: We provide you with services.
Why: If you use our services, we need specific information to conduct our obligations. This information must be complete and correct. - When: You communicate with us.
Why: We keep record of all email and chat correspondence you send us. We want to make sure we understand what you want us to do, and we want to improve our service to you. Telephone calls made to and from the Mukuru contact centre will be recorded for quality, training, and monitoring purposes. When you interact with our AI assistant, chatbot, we may store and review your chat conversations to help provide and optimize the service. - When: You apply for a job or sign up to receive job posting updates. We collect this information directly from you or from the online platform you uploaded your resume or application on.
Why: So that we can consider you for recruitment purposes. - Other information you give us.
When: You fill in a form on our website or the Mukuru app (for example, the ‘Get in touch’ section), when you take part in competitions, surveys, or questionnaires about our products or services, or otherwise. It includes, for example, information you provide when you ask about our services, ask us to contact you or when you report a problem with our website, or service. - When: You provide your products or services to us and you are our supplier or partner, we may need to collect personal data of the juristic and/or natural persons involved. We may also collect personal data related to “business contacts” (supplier’s representatives and other individuals acting as a contact point between the supplier and Mukuru).
Data might be collected from you directly, or from your organisation.
When we provide services to you or your organisation, we process your data because it’s necessary for the performance of an agreement with you or your organisation.
We get personal data about you from other members of the Mukuru Group. - When: You create an account or profile with us, use our services, ask for information or help, or otherwise communicate with us.
Why: So that we can give you the services and information you want, ensure top customer service, and follow our legal and internal anti-money laundering, fraud, and AML obligations.
We only share your data with other companies in the Mukuru Group in connection with our services to you, or when you have given us consent (for example, when you want to create a Mukuru profile). When we provide services to you, under a contract, we process your data because it’s necessary for the performance of an agreement for services or because the law requires us to process your personal data. For marketing, we will ask for your consent to contact you.
We may also get your personal data from other sources, for example: - Recruiters, for job opportunities, and from job applicants if you are named as a reference.
- From someone who refers you for a vacancy.
- Providers who do background, criminal, credit, education, and identity checks or collect information from LinkedIn or other public sources or from data enrichment providers, for us when needed in connection with recruitment, employment, and investigations.
- When you take part in market research done by us or our research third-party providers.
- Social media – depending on your settings or the privacy policies for social media and messaging services such as Facebook, LinkedIn, Instagram, and others you might give us permission to access information from those accounts or services.
We will never ask you to share personal, account or security information on social media platforms. But we might ask you to message us in private through one of our official social media accounts. - From sanction lists, to make sure that the people we deal with aren’t subject to a sanction.
- Third parties we work with to make services available to you, customers taking part in refer-a-friend programmes, advertising networks, analytics providers, and search information providers.
- If one of our customers lists, you as a beneficiary on an insurance policy.
- Log Files – Log data is the information we record on when, how, and which visitors are using our website or the Mukuru app.
- Mukuru app – When you download the Mukuru app, we will collect Log Files and: your identity information, the type of device you are using, its operating system version, and system and performance information. Industry standard device fingerprinting mechanisms are used to secure customer transactions or app usage, without disclosing excessive detail. Your identity and device information is used to make sure you receive proper notifications. If you let us, we may send you push notifications to tell you about events or promotions. You can turn this off at device level.
We may use mobile analytics software to help us to understand how our mobile software works on your device. It is also used to find and fix problems. This software looks at how often you use the Mukuru app, the events that occur in the Mukuru app, aggregated usage, performance data, and from where you downloaded the Mukuru app. We don’t link this information to the personal data you put in Mukuru app. - Cookies and similar technologies
A cookie is a small file placed on your browser. It allows our website or the Mukuru app to identify your device. Cookies also make it possible for us to store your preferences so we can display content, options, or functions that are specific to you.
The information we collect is used to:- Give you a better experience of our website or the Mukuru app(functional).
- Count the pages you visit (statistics).
- Serve you relevant promotions and advertising (marketing).
Cookies don’t give us access to your device, but rather let us know information like which pages you visited on our website or the Mukuru app. - Please visit our Cookie Policy here for more information.
- When: You visit our offices or premises we may collect your personal data, including CCTV recordings in certain areas (we may use third parties to provide these services). Only images are caught on camera, no voice is recorded.
Why: To manage access control, to ensure the safety of employees, customers, and visitors and to identify and investigate criminal activity. This processing is done based on our legitimate interests.
Access to CCTV footage is controlled and data cannot be accessed and used without proper authorisation. You have the right to access your data, but not others’ data, unless permitted by applicable data privacy law. - Biometric Data Biometric data is a type of personal data that can uniquely identify an individual, for example, fingerprints and facial images.
- If your device supports biometric recognition (such as fingerprint or facial recognition), you may choose to use it to access the Mukuru app securely. When you do this, your biometric information is stored and managed on your device only. Mukuru does not store or access this biometric data.
- We may collect and process your biometric data as part of our identity verification (KYC) processes. This includes facial coding used to confirm your identity when you register or when we are required to verify who you are. We also process biometric data where necessary to prevent or detect unlawful acts, prevent fraud, and to comply with our obligations relating to terrorist financing and money laundering. In these cases, Mukuru or our trusted verification partners process your biometric data as controllers or processors, as applicable. Given the sensitive nature of biometric data, we apply strict access controls and retain it only for as long as required by applicable law or our legal obligations.
- Google Maps API(s)
We use Google Places API (used to get location data and autocomplete data) and Geocoding API (which converts addresses into geographic coordinates). This data is used for address verification purposes to meet our legal requirements. Google’s privacy terms applicable to the collection of this data is applicable and can be found here Privacy Policy – Privacy & Terms – Google.
Why else do we process your data? - To comply with laws and regulations.
Including rules regulating financial services, insurance, providing you with credit and more. We and our partners may also use your personal data to help detect or prevent crime (including terrorism financing, money laundering, fraud, and other illegal activities and financial crimes). This will only be done on the basis that it’s needed to comply with a legal obligation or it’s in our or our partner’s legitimate interests and that of others. - Troubleshoot and detect problems with the service and keep our services secure.
When we carry out these activities, we might use account and usage data. Usage data is especially relevant for investigating fraudulent activities – it allows us to piece together the timeframe of account user’s activities in the case of security-related incidents and to take adequate steps for mitigation.
The security of our services is crucial for us, so for these activities we rely on our legitimate interest to maintain and improve the security of our services. - Product and Service Improvement
We use data you generate while on our website or other channels to evaluate, improve and/or personalise existing and new products and services. Our analysis includes data analytics, statistical or other analysis to better understand how you use our services, and to respond to any service issues you may have.
The general goal of these activities is to enhance your experience and improve our products and services, keep you informed about and offer you new products, services, and benefits that we hope will help you but also educate you about good financial service behaviours based on your previous actions or needs, and we rely on our legitimate interest when conducting them. - Marketing
Where we are required to do so by law, we will ask for your consent for us to send you marketing communications. These communications may include competitions, promotions, our rewards program, and any other communication you ask us for.
For B2B (business-to-business) marketing, we rely on our legitimate interest to maintain and improve our business relationships. You may proactively manage your preferences or opt-out any time, using the links/commands given in our marketing communications.
When you unsubscribe from marketing (i.e., withdraw your consent or object to the processing), we will stop sending you marketing materials. We may retain your contact details on an internal do-not-contact list to make sure we do not send you unwanted marketing in future. - Automated systems
We use automated system/s for decision-making and profiling for some products and services as part of our continuous improvement of new and existing products and services.
Where a decision based solely on automated processing produces legal or similarly significant effects on you, you have the right to request human review of that decision. - Machine learning
We use machine learning from Mukuru or trusted providers to enhance our services, prevent fraud, and personalise your experience. Its use is limited to essential purposes only, with all decisions subject to human review. - Further use of your data
We process your personal data in line with this notice and relevant data protection laws. The only time we will use it for another ‘further’ purpose is if:- You gave us your consent for the further processing activity.
- The personal data is available from a public record or made public by you, where we are legally allowed to do so.
- We need to comply with a legal obligation.
4. What data do we collect?
- Children’s Data
Our services are not directed at children. However, where you list a minor as a beneficiary or dependent in connection with our services, we may process their personal data as described in this notice. - Customers (Sender and Policy Holder)– Title
– Full Names & Surname
– Preferred Name
– Country of Origin
– Country of Residence
– Mobile Number
– Email Address
– Date of Birth
– Address
– Proof of Address Image
– Gender
– ID and/or Passport Number
– ID and/or Passport Number Image– Selfie
– Occupation
– Monthly Income
– Proof of Income Image
– Banking Details
– Mukuru Card Details
– Customer Identity Profile (e.g. Sanctions)
– Medical Information (Specific to policy holder, i.e. death certificate)
– Criminal Data (for KYC purposes) - Agents
– First Names & Surname
– ID number
– ID image
– Photo
– Physical Address– Email Address
– Telephone Number
– Device IMEI Number
– Banking Details - Customers (Legal/Juristic persons), Suppliers, Partners, Service Providers, etc.
– Information on Legal/Juristic Customers and its representatives (employees, shareholders, directors etc) including position/designation within the entity.
– Registered and Trading Names, Registration numbers, ID and Passport Numbers, Physical addresses, Banking Details, Email Addresses, Telephone numbers, position/designation within the entity, date of birth.
– Director Information
– Corporate documents (registration documents, banking documents etc.)
– Transactional, financial and behavioural data, such as payment history, account interactions, usage patterns, and other financial information, to assess eligibility for other Mukuru products
– We collect and retain IP addresses associated with system access to Mukuru portals for fraud prevention, security monitoring and auditability. Access is restricted to authorized personnel, and the information is protected under our security and privacy controls. - Recipients
– Full Names & Surname
– ID and/or Passport Number
– ID Document and/or Passport Image
– Date of Birth
– Country
– Mobile Number– Relationship to Sender
– Gender
– Identity profile (e.g. Sanctions)
– Mukuru Card details
– Signature (Collection Slip Image) - Customers (Policy Holder’s Dependent/Beneficiary and Witnessing Family Member)
– Full names & Surname
– Date of Birth
– ID / Passport / Birth Certificate Number
– Contact Number - Employment candidates
– Title
– Full Names & Surname
– Preferred Name
– Place of residence
– Mobile Number
– Email Address
– Date of Birth
– Gender
– Address
– Proof of Address Image
– ID Number
– Photo
– ID Document Image– Banking Details
– Education
– Work history
– Medical Information
– Credit, criminal and offences checks
– Evaluation and assessment results
– Professional information about you from business networking sites (like LinkedIn)
– Internal interview notes
– Information on your next of kin or emergency contact/s. - Visitors to our premises
– Full names & Surname
– Employer
– Mobile number
– Reason for visit
5. How long do we keep your personal data?
We only keep your personal data for as long as we need to. This will depend on the services you want, the applicable data privacy laws we must follow, our need to respond to queries or complaints, our obligation to fight fraud, financial crime, and to respond to requests from regulators.
If we don’t need to keep it, we will destroy, delete, or de-identify it. All information kept on our systems is kept secure in line with industry standard requirements, best practice and our internal policies.
6. Who do we share your personal data with and why?
- Members of the Mukuru Group, for the reasons given in this Notice.
- Business partners, suppliers and/or vendors, to help us deliver our services to you, including authorised third-party partners who assist us in managing, processing, and responding to your inquiries as part of service delivery.
- Legal & regulatory authorities to comply with our legal obligations.
- Law enforcement and providers for purposes of anti-money laundering and financial crime prevention and investigations.
- Other Mukuru customers who wish to make a payment to you, using one of the Mukuru products. During the payment process they will enter your phone number, and we will show them your name so they can confirm the payment is going to the right recipient.
- Merger and acquisition stakeholders.
As part of disclosure in the event of a merger, sale, or other asset transfer. Your information may be transferred as part of such a transaction, as permitted by law or contract. - Social media and advertising partners.
- Google
We use Google Property Analytics, Google ads and other Google marketing tools which use cookies and similar technologies to collect and analyse information about use of the Sites, apps and online services and report on activities, actions and trends.
You can learn about Google’s practices by going to google.com/policies/privacy/partners, and opt out of them by downloading the Google Analytics opt-out browser add-on, available at tools.google.com/dlpage/gaoptout. - Meta (Facebook)
We may use Meta Business Tools. Depending on the Meta Business Tool we use, we might share with Meta actions that you take on our website or App like, your visits to our website, your interactions on our website, use of Facebook Connect and information collected from cookies or similar technologies including the Facebook Pixel.
We do this to measure how effective our advertising is, to improve our marketing practices, and to deliver more relevant advertising to you and people like you.
You can exercise your data protection rights and find more information on how your data is used here. - Personalised advertising
We use advertising partners including Google and Meta for personalised advertising with our intention to deliver more relevant advertising to you and people like you. As part of this we share your personal data, but we observe appropriate technical measures to secure your data and identity. You can manage your preferences in this regard in your user account settings. - Social media management platform
Third Parties may, on our behalf, collect and analyse information from Mukuru’s social media platforms to monitor brand sentiment and respond to customer queries. This may include personal data of individuals who are not customers. We rely on legitimate interest for this processing. Understanding content sentiment allows us to improve our communication.
- Google
7. What Are Your Rights?
- You have the right:
- To be informed about our collection and use of your personal data.
- To access to your personal data.
- To rectify personal data that you think is inaccurate and to complete information you think is incomplete.
- To erasure (to be forgotten). You may ask us to erase your personal data.
- To restrict the processing of your personal data.
- To object to the processing of your personal data.
- To data portability. This means you can ask us to transfer your personal data to another organisation. This only applies in some countries, so please contact us for more information.
- To question automated decisions. You have the right to query a decision that we make about our services if the decision was made without any human involvement.
- If you want to exercise one of these rights, we may ask you for proof of your identity first. Some of these rights do have limitations. For example, if you ask for something, but it could reveal some else’s personal data, we may refuse. If you ask that we delete your information, but we have a legal obligation to keep it, or we have a legitimate interest or contractual obligation to keep it, we may keep your personal even if you want us to delete it.
- All requests must be in writing. We will try to respond within a reasonable period, but within 30 days from the date you ask. If we need more time, we will explain why. We may charge a fee for the request or refuse to action your request if it is excessive or unfound. We will give reasons if that is the case.
- Please contact us at [email protected] if you want to enforce any of these rights.
8. How do we carry out international transfers of your personal data?
The Mukuru Group is an international group of companies. For this reason, we may transfer your personal data to other countries. Those countries may have different laws and data protection compliance requirements from the country where you are located.
International transfers will be done in line with applicable data protection laws that require specific technical and organisational security measures and contractual transfer safeguards, like the EU’s Standard Contractual Clauses and the UK’s Addendum for restricted transfers. We conduct transfer risk assessments and implement supplementary safeguards where required.
9. Our Security Practices
Mukuru’s security systems and controls are designed to maintain confidentiality, prevent loss, unauthorised access, and damage to information by unauthorised parties. Our cyber security strategy is aligned to industry standard frameworks to ensure effective cyber security risk management for the organisation. We conduct continuous security vulnerability assessments to improve our security posture and provide assurance to all our stakeholders.
Our security measures have been implemented following ISO 27001:2022 standard requirements. For more information refer to our website here.
Unfortunately, the transmission of information via the internet (including by email) is not completely secure. We will do our best to protect your personal data, but we cannot guarantee the security of your data transmitted to our site; and any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to prevent unauthorised access.
10. Changes to this notice
The most current version of this notice governs our practices for collecting, processing, and disclosing personal data and customers and contracting third parties will be notified when this notice is updated.
11. Contact Details
To contact the Data Protection Officer or Information Officer or for queries under this Privacy Notice, please email [email protected] marked “Attention DPO”.
12. Country-specifics
In addition to the above, there are some country-specifics for us to note.
BOTSWANA
Data protection in Botswana is governed by the Data Protection Act, 2024, overseen by the Information and Data Protection Commission (IDPC). If you have concerns about how your personal data has been handled, you may contact us at [email protected]. If you are not satisfied with our response, you may lodge a complaint with the IDPC. The IDPC is in the process of establishing its public-facing contact channels.
Where we transfer personal data outside Botswana, we do so in accordance with the Data Protection Act, including where the recipient country provides an adequate level of protection, appropriate safeguards have been implemented, or another lawful basis for transfer applies.
KENYA
Data protection in Kenya is governed by the Data Protection Act, 2019, overseen by the Office of the Data Protection Commissioner (ODPC). If you have concerns about how your personal data has been handled, you may contact us at [email protected]. If you are not satisfied with our response, you may lodge a complaint with the ODPC at www.odpc.go.ke or by email at [email protected].
MALAWI
Data protection in Malawi is governed by the Data Protection Act, 2024, with the Malawi Communications Regulatory Authority (MACRA) designated as the Data Protection Authority. If you have concerns about how your personal data has been handled, you may contact us at [email protected]. If you are not satisfied with our response, you may lodge a complaint with MACRA at www.macra.mw or by email at [email protected].
NIGERIA
The processing of personal data of individuals in Nigeria is governed by the Nigeria Data Protection Act, 2023 (NDPA), overseen by the Nigeria Data Protection Commission (NDPC) at www.ndpc.gov.ng.
We process personal data of Nigerian data subjects on the lawful bases of contractual necessity, legal obligation, consent, vital interests, public interest, or legitimate interests, as applicable to each processing activity.
Where we transfer personal data outside Nigeria, we do so in accordance with Part VIII of the NDPA and the GAID, using an adequacy decision by the NDPC, a Cross-Border Data Transfer Instrument approved by the NDPC, or another lawful basis such as explicit consent or necessity for legal claims.
If you have concerns about how your personal data is handled, you may contact us at [email protected]. If you are not satisfied with our response, you may submit a complaint to the NDPC directly.
RWANDA
Data protection in Rwanda is governed by Law No. 058/2021 of 13/10/2021, overseen by the National Cyber Security Authority (NCSA) – Data Protection and Privacy Office (www.dpo.gov.rw). If you have concerns about how your personal data has been handled, you may contact us at [email protected]. If you are not satisfied with our response, you may lodge a complaint with the Data Protection and Privacy Office at [email protected] or by calling 9080.
SOUTH AFRICA
Under POPIA, Data Controller and Data Processor mean the same as Responsible Party and Operator, respectively.
Data protection in South Africa is overseen by the Information Regulator. If you have concerns about how your personal data has been handled, you may contact us at [email protected]. If you are not satisfied with our response, you may lodge a complaint with the Information Regulator at www.inforegulator.org.za or by email at [email protected].
UGANDA
Data protection in Uganda is governed by the Data Protection and Privacy Act, 2019, with oversight and enforcement carried out by the Personal Data Protection Office (PDPO), an independent office established under the National Information Technology Authority Uganda (NITA-U). If you have concerns about how your personal data has been handled, you may contact us at [email protected]. If you are not satisfied with our response, you may lodge a complaint with the PDPO at www.pdpo.go.ug.
UNITED KINGDOM
In the United Kingdom, Mukuru services are provided by Remitix Limited, which is the data controller for personal data processed in connection with UK operations. Processing is carried out in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
If you have concerns about how your personal data has been handled, you may contact us at [email protected]. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection, at www.ico.org.uk or by calling 0303 123 1113.
ZAMBIA
In addition to the data listed in What do we collect detailed above, for money transfers involving a recipient in Zambia, the regulations require that we collect the TPIN (Taxpayer Identification Number) of the recipient being paid.
Data protection in Zambia is regulated by the Office of the Data Protection Commissioner (www.dataprotection.gov.zm). If you are not satisfied with our response to a data protection query, you may lodge a complaint with that office.
ZIMBABWE
In addition to the data listed in What do we collect detailed above, for money transfers involving a recipient in Zimbabwe, regulations require that we collect the city of the recipient being paid.
Data protection in Zimbabwe is governed by the Cyber and Data Protection Act (Chapter 12:07), with the Postal and Telecommunications Regulatory Authority of Zimbabwe (POTRAZ) designated as the Data Protection Authority. If you have concerns about how your personal data has been handled, you may contact us at [email protected]. If you are not satisfied with our response, you may lodge a complaint with POTRAZ at www.potraz.gov.zw.